Update PackageLicenseDeclared to output license info (tag/value)

Previously the `PackageLicenseDeclared` data for `spdxtagvalue`
was set to license reference of type `LicenseRef-df8cb33` which is
not informative. This change updates that data to the actual
license info, f.e. `MIT`, in case a license is declared, or the
`LicenseRef-df8cb33` value if it's not

Signed-off-by: Ivana Atanasova <[email protected]>

Author: ivanayov

requirements.txt

@@ -17,3 +17,4 @@ regex>=2022.3
 GitPython~=3.1
 prettytable~=3.2
 packageurl-python>=0.9.9
+license_expression>=21.6.14

tern/formats/spdx/spdxtagvalue/package_helpers.py

@@ -7,11 +7,20 @@
 Helper functions for packages in SPDX document
 """
 
+from license_expression import get_spdx_licensing
 from tern.formats.spdx.spdxtagvalue import formats as spdx_formats
 from tern.formats.spdx import spdx_common
 from tern.report import content
 
 
+def is_spdx_license_expression(license_data):
+    '''Return True if the license is a valid SPDX license expression, else
+    return False'''
+    licensing = get_spdx_licensing()
+    if ',' in license_data:
+        license_data = license_data.replace(',', ' ')
+    return licensing.validate(license_data).errors == []
+
 def get_package_comment(package_obj):
     '''Return a PackageComment tag-value text block for a list of
     NoticeOrigin objects'''
@@ -24,6 +33,14 @@ def get_package_comment(package_obj):
     return comment
 
 
+def get_package_license_declared(package_license_declared):
+    if package_license_declared:
+        if is_spdx_license_expression(package_license_declared):
+            return package_license_declared
+        return spdx_common.get_license_ref(package_license_declared)
+    return 'NONE'
+
+
 def get_source_package_block(package_obj, template):
     '''Given a package object and its SPDX template mapping, return a SPDX
     document block for the corresponding source package.
@@ -55,11 +72,8 @@ def get_source_package_block(package_obj, template):
     # Package License Concluded (always NOASSERTION)
     block += 'PackageLicenseConcluded: NOASSERTION\n'
     # Package License Declared (use the license ref for this)
-    if mapping['PackageLicenseDeclared']:
-        block += 'PackageLicenseDeclared: {}\n'.format(
-            spdx_common.get_license_ref(mapping['PackageLicenseDeclared']))
-    else:
-        block += 'PackageLicenseDeclared: NONE\n'
+    block += 'PackageLicenseDeclared: ' + get_package_license_declared(
+        mapping['PackageLicenseDeclared']) + '\n'
     # Package Copyright Text
     if mapping['PackageCopyrightText']:
         block += 'PackageCopyrightText:' + spdx_formats.block_text.format(
@@ -100,11 +114,8 @@ def get_package_block(package_obj, template):
     # Package License Concluded (always NOASSERTION)
     block += 'PackageLicenseConcluded: NOASSERTION\n'
     # Package License Declared (use the license ref for this)
-    if mapping['PackageLicenseDeclared']:
-        block += 'PackageLicenseDeclared: {}\n'.format(
-            spdx_common.get_license_ref(mapping['PackageLicenseDeclared']))
-    else:
-        block += 'PackageLicenseDeclared: NONE\n'
+    block += 'PackageLicenseDeclared: ' + get_package_license_declared(
+        mapping['PackageLicenseDeclared']) + '\n'
     # Package Copyright Text
     if mapping['PackageCopyrightText']:
         block += 'PackageCopyrightText:' + spdx_formats.block_text.format(